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[57] ABSTRACT 

A method is disclosed for providing user access control 
for a plurality of resource objects within a distributed 
data processing system having a plurality of resource 
managers. A reference noonitor service is established 
and a plurality of access control profiles are stored 
therein. Thereafter, selected access control profiles are 
exchanged between the reference monitor service and a 
resource manager in response to an attempted access of 
a particular resource object controlled by that resource 
manager. The resource manager may then control ac- 
cess to the resource object by utilizing the exchanged 
access control profile. In a preferred embodiment of the 
present invention, each access control profile may in* 
elude access control information relating to a selected 
user; a selected resource object; a selected group of 
users; a selected set of resource objects; or, a predeter- 
mined set of resource objects and a selected group of 
users. 

6 Claims, 4 Drawing Sheets 
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multiple hosts cannot be controlled. That is, access to a 

METHOD AND SYSTEM FOR PROVIDIN G USE R resource object cootrdled by one host cannot be ob- 

ACCESS CONTROL WITHI N A DISTRIBUTED tained by a user enrolled at a second host. 

DATA PROCESSING SYSTEM BY THE One other example of an access control system is the 

EXCHANGE OF ACCESS CONTROL PROFILES 5 dB2 product. This product permits a more Hexible 

access control and offers granular or bundled access 

CROSS-REFERENGE TO RELATED ^^^^ol authority. For example, the DB2 system may 

APPLICATIONS utilize special authorities for administration or database 

This application relates in general to U.S. patent ap- operations. Further, access privilege may be bundled 
plication Ser. No. 07/480,440, filed of even date here* mto a specified authority or role so that a user may 
with entitled "METHOD FOR PROVIDING VARI- access specific resource objects based upon the user's 

ABLE AUTHORITY LEVEL USER ACCESS title or authority level, rather than the user's personal 

CONTROL IN A DISTRIBUTED DATA PRO- identity. However, as above, the DB2 system does not 

CESSING SYSTEM," and U.S. patent application Sen possess the capability of exchanging access ccmtrol 

No. 07/480,442, fikd of even date herewith, entitled *5 information with non.DB2 applications. 

'^IS?? f*^^^^^^I2S. ^^^^ ACCESS Tlierefore. it should be obvious that a need exists for 

^^9J;..^^J^.^^?^^T^^^ ^^"^^ a niethod of providing access control in a distributed 

PROCESSING SYSTEM " by the mvcnlor hereof and ^^,3 processing system whereby access to selected re- 

assigned to the Assignee thcrcm. ^ ^^^^^ ^^^^^ ^ controlled throughout the dis- 

BACKGROUhJD OF THE INVENTION tributcd data processing system by means of the ex- 

1 Technical Field change of access control information throughout the 

The present invention relates to data processing sys- system, 
terns in general and in particular to improved methods SUMMARY OF THE INVENTION 
of providing access control for a plurality of resource ^ , . ^ . ^ . , 
objects within a distributed data processing system. Still therefore one object of the present mvenuon to 
more particularly, the present invention relates to a P'^^'^e ^ improved date processing system, 
system which permits the rapid and efficient inter- « another object of the present mvention to pro- 
change of access control infonnation throughout a dis- vide an improved method of providing access control 
tribuled data processing system. 30 for a plurality of resource objects within a distributed 

2. Description of the Related Art data processing system. 

Securit>' and access control systems in computer It is yet another object of the present invention to 
based data processing systems are well known in the provide an improved method of providing access con- 
prior art. Existing access control systems are generally trol for a plurality of resource objects within a distrib- 
oriented to a single host system. Such single host access 35 uted data processing system which permits the rapid 
control systems are generally utilized 10 provide secu- and efficient interchange of access control infonnation 
rity for the host and access control to applications and throughout a distributed data processing system, 
system resources, such as files. Each application must The foregoing objects are achieved as is now de- 
generally provide access control for the resources con- scribed. The method of the present invention may be 
trolled by that application. 40 utilized to provide user access control for a plurality of 

One example of an access control system designed for resource objects within a distributed data processing 

utilization with the IBM 370 system is a product called system having a plurality of resource managers. A refer- 

RACF, or Resource Asset Control Facility. RACF ^^ce monitor service is established and a plurality of 

offers access control for applications, such as files or ^^^^ control profiles are stored therein. Thereafter, 

CICS transactions and is hierarchically oncnted m ac- 45 control profiles arc exchanged between 

cess authority levels and groupmg of users. RACF is a ^j,^ reference monitor service and a resource manager in 

"password onented access control system and acxess is ^ attempted access of a particular resource 

granted or denied tosed upon a user s mdividual iden- ^^^^ controlled by that resource manager. The re- 

tity and his or her Imowle^ source manager may then control access to the resource 

word to verdy mat identity. The RACF sy«em is. how- 50 ^ ^ exchanged access control profile, 

ever, onented to a smgle host system and cannot be - j w j* * r *i. * • * 

employed in a distribute data prtiessing system which f ^'^^^^ embodiment of the present mvention 

employs multiple hosts associaied with ^parate groups P^^^^« may include access control 

of resource objects, due to the fact that this system does information relating to a selected user; a selected re- 

not allow the interchange of access control information 55 "'"^^^ ^J«=.^J * SrouP ".^^^ » ^^^'^ 

from one host to another. resource objects; or. a predetermined set of resource 

Another example of known access control systems is ot»J«^" » ^^^^ l«t of users each authorized to 

AS/400. The AS/400 system is a capabflity based sys- access at least a portion of said predetermined set of 

tcm in which security is based upon each individual resource objects. 

resource object Each user is authorized to access indi- 60 ^KIEF DESCRIPTION OF THE DRAWINGS 
vidua] resource (Ejects based upon the user's capability 

within the system. The AS/400 system maintains secu- The novel features believed characteristic of the in- 
rity by keeping User Profiles, Object Authority, and vcntion arc set forth in the appended claims. The inven- 
System Values within the architecture of the machine tion itself however, as well as a preferred mode of use. 
itself. As above, thb system is highly efficient at con- 65 further objects and advantages thereof, will best be 
trolling access to resource objects controlled by a single understood by reference to the following detailed de- 
host; however, access to resource objects located scription of an illustrative embodiment when read in 
within a distributed data processing system containing conjunction with the accompanying drawings, wherein: 
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FIG. 1 depicts a pictorial representation of a distrib- 
uted data processing system which may be utilized to 
implement the method of the present invention; 

FIG. 2 depicts in block diagram form the access con- 
trol system utilized with the method of the present 
invention; 

FIG. 3 is a high level flow chart depicting the estab- 
lishment of an access control system in accordance with 
the method of the present invention; and 

FIG. 4 is a high level flow chart depicting access to 
a resource object in accordance with the method of the 
present invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

With reference now to the figures, and in particular 
with reference to FIG. 1, there is depicted a pictorial 
representation of a data processing system 8 which may 
be utilized to implement the method of the present in- 
vention. As may be seen, data processing system 8 may 20 
include a plurality of networks, such as Local Area 
Networks (LAN) 10 and 32, each of which preferably 
includes a plurality of individual computers 12 and 30, 
respectively. Of course, those skilled in the art will 
appreciate that a plurality of Interactive Work Stations 25 
(IWS) coupled to a host processor may be utilized for 
each such network. 

As is common in such data processing systems, each 
individual computer may be coupled to a storage device 
14 and/or a printer/output device 16. One or more such 30 
storage devices 14 may be utilized, in accordance with 
the method of the present invention, to store applica- 
tions or resource objects which may be periodically 
accessed by any user within data processing system 8. In 
a manner weU known in the prior art, each such applica- 35 
tion or resource object stored within a storage device 14 
is associated with a Resource Manager, which is respon- 
sible for maintaining and updating all resource objects 
associated therewith. 

Still referring to FIG. 1, it may be seen that data 40 
processing network 8 may also include multiple main 
frame computers, such as main frame computer 18, 
which may be preferably coupled to Local Area Net- 
work (LAN) 10 by means of communications link 22. 
Main frame computer 18 may also be coupled to a stor- 45 
age device 20 which may serve as remote storage for 
Local Area Network (LAN) 10 . Similarly, Local Area 
Network (LAN) 10 may be coupled via communica- 
tions link 24 through a subsystem control unit/com 



In known prior an systems of this type, should the 
user of an individual computer 30 desire to access a 
resource object stored within storage device 20, associ- 
ated with main frame computer 18. it will be necessary 
for the user of computer 30 to be enrolled within the 
security system of main frame computer 18. This is 
necessary in order for the user of computer 30 to pres- 
ent the proper password to obtain access to the desired 
resource object. Of course, those skilled in the art will 
appreciate that this technique will prove imgainly in 
distributed data processing systems, such as data pro- 
cessing system 8 depicted within FIG. L 

Referring now to FIG. 2, there is depicted in block 
diagram form the access control system which is uti- 
lized with the method of the present invention. As is 
depicted. Local Area Networks (LAN) 10 and 32 are 
fllustrated by dashed lines as is tnain frame computer 18. 
In each instance resource objects 42, 48 and 54 are 
illustrated in association with each portion of distrib- 
uted data processing system 8 of FIG. 1. Of course, 
each object thus illustrated will be stored within one or 
more storage devices associated with each portion of 
data processing system 8. As is illustrated. Local Area 
Network 10 includes a resource manager 40 which may 
be one or more individual computers which are utilized 
to manage selected resource objects. Also established 
within Local Area Network 10 is a Reference Monitor 
44. Reference Monitor 44, in accordance with the 
method of the present invention, is an application or 
service which is utilized to store access control profiles 
which may include access control information relating 
to: selected users; selected resource objecu; a selected 
group of users; a selected set of resource objects; or, a 
predetermined set of resource objects and a selected list 
of users, each authorized to access at least a ponion of 
said predetermined set of resource objects. 

Still referring to FIG. 2. it may be seen that within 
Local Area Network (LAN) 33 a resource manager 46 
is illustrated, which is utilized, in a manner well known 
in the art, to control access to resource object 48. Simi- 
larly, a Reference Monitor 50 is esublished within 
Local Area Network (LAN) 32, Reference Monitor 50 
is, as described above, preferably utilized to store access 
control profiles relating to individual users within Local 
Area Network 32 as well as resource objects stored 
within Local Area Network 32. 

Finally, main frame computer 18 is illustrated as in- 
cluding a resource manager 52 which has associated 



munications controller 26 and communications link 34 50 therewith one or more resource objects 54. 



to a gateway server 28. Gateway server 28 is preferably 
an individual computer or Interactive Work Station 
(IWS) which serves to link Local Area Network 
(LAN) 32 to Local Area Network (LAN) 10. 

As discussed above with respect to Local Area Net- 
work (LAN) 32 and Local Area Network (LAN) 10, 
resource objects may be stored within storage device 20 
and controlled by tnain frame computer 18, as resource 
manager for the resource objects thus stored. Of course. 



In accordance with an important feature of the pres- 
ent invention, any attempted access of a resource ob- 
ject, such as resource object 42, 48 or 54 will automati- 
cally result in a query by the associated resource man- 
55 ager to one or more Reference Monitor applications to 
determine whether or not the access requested will be 
permitted. It should be noted that, in accordance with 
the depicted embodiment of the present invention, only 
one Reference Monitor application is required for data 



those skilled in the an will appreciate that main frame 60 processing system 8; however, two are illustrated. In 



computer 18 may be located a great geographic dis- 
tance from Local Area Network (LAN) 10 and simi- 
larly Local Area Network (LAN) 10 may be located a 
substantial distance from Local Area Network (LAN) 
32. That is. Local Area Network (LAN) 32 may be 
located in California while Local Area Network (LAN) 
10 may be located within Texas and main frame com- 
puter 18 may be located in New York. 



65 



accordance with the method of the present invention, 
communications links between a single Reference Mon- 
itor application may be established with each and every 
resource manager within data processing system 8 (see 
FIG. 1) so that access to selected resource objects may 
be controlled in accordance with the access control 
information stored within the profiles within that Refer- 
ence Monitor. 
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In this manner. • user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within FIG. 1, request access to a resource object 54 
associated with main frame computer 18. As will be 
explained in greater detail herein, resource manager 52 5 
wUl then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so, the 
profile information is exchanged between the appropri- 
ate Reference Monitor and resource manager 52 and 10 
access to resource object 54 may be permitted. 

With reference now to FIG. 3, there is depicted a 
high level flow chart illustrating the establishment of an 
access control system in accordance with the method of 
the present invention. As is illustrated, the process be- 15 
gins at block 60 and thereafter passes to block 62, which 
depicts the defining of an access control profile for an 
object or group of objects, by the associated resource 
manager. Thereafter, block 64 illustrates the storing of 
that profile within a Reference Monitor application. 20 
Next, block 66 Ulustrates a determination of whether or 
not additional objects require an access control profile 
to be established and if so, the process returns to block 
62 and continues thereafter in an iterative fashion. 

In the event no additional resource objects require 23 
access control profiles, the process passes to block 68 
which illustrates the establishment by an associated 
resource manager of an access control profile for one or 
more users within the distributed data processing sys- 
tem. Thereafter, block 70 illustrates the storing of the 30 
access control profile thus created in an associated Ref- 
erence Monitor application. Block 72 next determines 
whether not additional users within the data processing 
system require access control profiles to be created. If 
so, as above, the process rcttuns to block .68 to define 33 
the additional profiles. In the event no additional users 
require access control profiles, then the process termi- 
nates, as illustrated in block 74. Of course, those skilled 
in the. art will appreciate that in this manner it will be 
possible to create various access control profiles which 40 
contain access control information relating to a single 
resource object, a group of resource objects, an individ- 
ual user, a group of users, or, a predetermined set of 
resource objects and a selected group of users. 

Finally, referring to FIG. 4, there is depicted a high 45 
level flow chan depicting access to a resource object in 
accordance with the method of the present invention. 
As is illustrated, the process begins at block 80 and 
thereafter passes to block 82 which illustrates the re- 
ceipt by a resource maiiagcr of an access request for a 30 
resource object within that resource -manager's pur- 
view. Next, the process passes to block 84 which illus- 
trates the query of the nearest Reference Monitor appli- 
cation to determine whether or not an access control 
profile exists for the resource object or user in question. 33 

Block 86 next depicts a determination of whether or 
not the appropriate access control profile is defined 
locally and if so. block 88 illustrates a determination of 
whether or not access to the specific resource object is 
permitted. This determination is, as those skilled in the 60 
art will appreciate, simply a matter of comparing the 
defined access control profile with the parameters of 
the resource object and the user in question. Thereafter, 
as iUustrated'in block 90, if the determination of block 
88 so permits, access to the resource object is provided 65 
and the process terminates, as depicted in block 92. 

Returning to block 86, in the event an access control 
profile is not defmed locally, then block 94 illustrates a 



157 
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determination of whether or not an appropriate access 
control profile is defmed anywhere within the system. If 
so, block 96 depicts the retrieval of that profile and the 
process then returns to block 88 for a determination of 
whether or not access to the selected resource object is 
permitted. Thereafter, if access is permitted, the process 
passes to block 90 which illustrates the accessing of the 
resource object and the subsequent termination of the 
process. 

In the event the access control profile required is not 
defined anywhere within data processing system 8, (see 
FIG. 1) or access to the desired resource object is not 
peimhted, as illustrated by the determination within 
block 88, then block 98 depicts the denial of access to 
the requested resource object with an appropriate mes- 
sage to the requester. 

Upon reference to the foregoing, those skiUed in the 
art will appreciate that by utihzing one or more Refer- 
ence Monitor ^plications within a distributed dau 
processing system, each containing one or more access 
control profiles relating to resource objects or users, it 
will be possible to control access to a plurality of re- 
source objects located within various subsections of a 
distributed data processing system, without requiring 
each mdividual user within the distributed data process- 
ing system 8 to enroll with each resource manager lo- 
cated at every point within the system. By permitting 
the rapid and efficient interchange of access control 
profiles containing access control information through- 
out the system, necessary access control decisions are 
made at a limited number of locations and the process is 
greatly enhanced in terms of efficiency. . 

While the invention has been particulariy shown and 
described with reference to a preferred embodiment, it 
will be understood by those skilled in the art that vari- 
ous changes in form and detail may be made therein 
without departing from the spirit and scope of the in- 
vention. 

I claim: 

1. A computer implemented method of providing 
user access control for a plurality of resource objects 
within a distributed data processing system having at 
least one reference monitor service and a plurality of 
resource managers associated with said plurality of 
resource objects, each of said plurality of resource man- 
agers controlling access to different selected ones of 
said resource objects, each of said resource managers 
associated with a reference monitor service, said 
method comprising the computer implemented steps of: 
storing a plurality of unique access control profiles 
within each said reference monitor service, 
wherein selected ones of said, plurality of access 
control profiles each include access control infor- 
mation relating to a predetermined set of said re* 
source objects and a selected list of users each 
authorized to access at least a portion of said prede- 
termined set of resource objects; 
querying an associated reference monitor service by a 
selected one of said resource managers in response 
to an attempted access of a particular resource 
object among said plurahty of resource objects, 
wherein access to said partictilar resource object is 
controlled by said selected resource manager; 
transmitting a selected access control profile associ- 
ated with said particular resource object from said 
associated reference monitor service to said se- 
lected one of said resource managers if said se- 
lected access control profile existed in said associ- 
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ated reference monitor service; if not, attempting 
to retrieve said selected access control profile from 
another said reference monitor service and thereaf* 
ter transmitting said retrieved access control pro- 
file to said selected one of said resource managers; 5 

utilizing said selected resource manager to control 
access to said particular resource object in accor- 
dance with access control information in said se- 
lected access control profile; and 

denying access to said particular resource object in 10 
response to a failure to retrieve said selected access 
control profile. 

2. The computer implemented method of providing 
user access control for a plurality of resource objects 
within a distributed data processing system according 
to claim 1 wherein selected ones of said plurality of 
access control profiles each include access control in- 
formation relating to a selected group of users. 

3. A computer implemented method of providing 
user access control for a plurality of resource objects 
within a distributed data processing system having a 
plurality of resource managers associated with said 
plurality of resource objects, each of said plurality of 
resource managers controlling access to different se- 
lected ones of said resource objects, said method com- 
prising the steps of: 

establishing at least one reference monitor service 
within said distributed data processing system; 

associating each resource manager with a reference 
monitor service; 

storing a plurality of unique access control profiles 
within each said reference monitor service, 
wherein selected ones of said plurality of access 
control profiles each include access control infor- 33 
mation relating to a predetermined set of said re- 
source objects and a selected list of users each 
authorized to access at least a portion of said prede- 
termined set of resource objects; 

querying as associated reference monitor service by a 4Q 
selected one of said resource managers in response 
to an attempted access of a particular resource 
object among said plurality of resource objects, 
wherein access to said particular resource object is 
controlled by said selected resource manager; 45 

transmining a selected access control profile associ- 
ated with said particular resource object from said 
associated reference monitor service to said se- 
lected one of said resource managers if said se- 
lected access control profile existed in said associ- so 
ated reference monitor service; if not. attempting 
to retrieve said selected access control profile from 
another said reference monitor service and thereaf- 
ter transmitting said retrieved access control pro- 
file to said selected one of said resource managers; 55 

utilizing said selected resource manager to control 
access to said particular resource object in accor- 
dance with access control information in said se- 
lected access control profile; and 

denying access to said particular resource object in 60 
response to a failure to retrieve said selected access 
control profile. 

4. The computer implemented method of providing 
user access control for a plurality of resource objects 
within a distributed data processing system according 65 
to claim 3, wherein selected ones of said plurality of 
access control profiles each include access control in- 
formation relating to a selected group of users. 



5. A data processing system for providing user access 
control for a plurality of resource objects within a dis- 
tributed dau processing system having at least one 
reference monitor service and a plurality of resource 
managers associated with said plurality of resource 
objects, each of said plurahty of resource managers 
controlling access to different selected ones of said 
resource objects, each of said resource managers associ- 
ated with a reference monitor service, said data process- 
ing system comprising: 

means for storing a plurality of unique access control 
profiles within each said reference monitor service, 
wherein selected ones of said plurality of access 
control profiles each include access control infor- 
mation relating to a predetermined set of said re- 
source objects and a selected list of users each 
authorized to access at lest a portion of said prede- 
termined set of resource objects; 

means for querying an associated reference monitor 
service by a selected one of said resource managers 
in response to an anempted access of a panicular 
resource object among said plurality of resource 
objects, wherein access to said panicular resource 
object is controlled by said selected resource man- 
ager; 

means for transmitting a selected access control pro- 
file associated with said particular resource object 
from said associated reference monitor service to 
said selected one of said resource managers if said 
selected access control profile existed in said asso- 
ciated reference monitor service; and if not, for 
attempting to retrieve said selected access control 
profile from another said reference monitor service 
and thereafter transmitting said retrieved access 
control profile to said selected one of said resource 
managers; 

means for utiHzing said selected resource manager to 
control access to said particular resource object in 
accordance with access control information in said 
selected access control profile; and 

means for denying access to said particular resource 
object in response to a failure to retrieve said se- 
lected access control profile. 

6. A data processing system for providing user access 
control for a plurality of resource objects within a dis- 
tributed data processing system having a plurality of 
resource managers associated with said plurality of 
resource objects, each of said plurality of resource man- 
agers controlling access to different selected ones of 
said resource objects, said data processing system com- 
prising: 

means for establishing at least one reference monitor 
service within said distributed data processing sys- 
tem; 

means for associating each resource manager with a 
reference monitor service; 

means for storing a plurality of unique access control 
profiles within each said reference monitor service, 
wherein selected ones of said plurality of access 
control profiles each include access comrol infor- 
mation relating to a predetermined set of said re- 
source objects and a selected list of users each 
authorized to access at least a portion of said prede- 
termined set of resource objects; 

mean for querying an associated reference monitor 
service by a selected one of said resource managers 
in response to an attempted access of a panicular 
resource object among said plurality of resource 



01/09/2003, EAST Version: 1.03.0002 



J 5,263, 

objects, wherein access to said particular resource 
object is controlled by said selected resource man- 
ager; 

means for transmitting a selected access control pro- 
file associated with said particular resource object s 
from said associated reference monitor service to 
said selected one of said resource managers if said 
selected access control profile existed in said asso- 
ciated reference monitor service; if not, attempting 
to retrieve said selected access control profile from ID 
another said reference monitor service and thereaf- 



10 

ter transmitting said retrieved access control pro- 
file to said selected one of said resource managers; 

means for utilizing said sdected resource manager to 
control access to said particular resource object in 
accordance with access control information in said 
selected access control profile; and 

means for denying access to said panicular resource 
object in response to a failure to retrieve said se- 
lected access control profile. 
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